[ Today’s post comes to us courtesy of Mike Toot from the SBS Marketing Team]
The first line of malware defense is a robust firewall between your business and the Internet. Nearly all routers on the market include firewalls that reduce the attack surface, so most businesses connected to the Internet have one layer of defense in place.
What’s not as apparent is the need for firewalls on each computer within the business. Malware can find its way onto internal computers through e-mail, from USB memory sticks or thumb drives, or external hard drives used to move files between customers. Laptops that are used outside the network can likewise be infected; once the laptop is inside the firewall it can then launch attacks within your network.
When you have a firewall on each computer on the network, you add another layer of protection. Both SBS 2008 and Windows 7 ship with firewalls that help protect you from malware. But how do you manage all these firewalls – router, SBS 2008, desktops and laptops – so they provide uniform protection for what network traffic is allowed in and out of your network?
SBS 2008 and Windows 7 make it easy to manage the firewalls on your network. Both SBS 2008 and Windows 7 use the same firewall technology so you don’t need to memorize a different interface. In addition, if your router is UPnP-enabled, SBS 2008 can manage the router for you so that network traffic is correctly configured for services such as Remote Web Workplace. No need to look up tables for protocols and ports; SBS 2008 makes the changes for you.
To view the SBS 2008 firewall properties, open the Windows SBS Console, click the Security tab, select Server Firewall , and then click View Server Firewall properties .
The Firewall Settings dialog appears, and the General tab shows you overall information about the firewall’s settings. Management functions are on the Advanced tab. Click the Advanced tab and then click Manage rules . Note that on the Advanced tab you can also click Manage Router . This which will launch Internet Explorer and you can then log on to the router and manually configure its settings.
The Windows Firewall dialog opens. It shows you the high-level status, including whether the firewall is on, whether inbound connections are blocked, and whether the firewall generates a notification when a program is blocked. Click Change settings .
The Windows Firewall Settings dialog displays the green check of health and a bright green band on the dialog, letting you know whether the firewall is enabled and providing protection to your server. The dialog also provides the global switch for the server firewall, as well as the Block all incoming connections option. This option is useful if you need to perform troubleshooting on the server. Click the Exceptions tab.
The Exceptions tab shows you which services are allowed through the Windows Firewall to interact with your server. Most administrators will never need to change any settings here, or add exceptions for other programs or services. It does provide a quick way to verify whether a service has been enabled, and clicking the Properties tab lets you see what protocols and ports are in use for that service. Close this dialog and the remaining dialogs and return to the SBS 2008 desktop.
Windows 7 uses the same firewall technology, but with a twist: since laptops and other devices can be used on other networks, the Windows 7 firewall applies location-dependent firewall rules. On a computer running Windows 7, click Start , Control Panel , and then Windows Firewall .
The Windows Firewall shows the high-level rules that are applied on the computer depending on its network type. Since the Windows 7 computer is a member of the SBS 2008 domain, some of the firewall settings are managed by the administrator, so users may not have the ability to change security policies on the computer depending on the rule. To see the specific rules that are being applied on the computer running Windows 7, click Allow a program or feature through Windows Firewall .
The Allowed Programs page shows which programs are allowed to communicate through Windows Firewall and on which network types. This page also shows whether the setting is controlled through a group policy set by SBS 2008. This provides additional flexibility for businesses that want to give its remote employees the ability to use computers at work or at home, yet still provide protection against malware at both locations.
Advanced administrators will also find value in the tools available to manage SBS 2008 and Windows 7 firewall rules. On the server running SBS 2008, click Start , Administrative Tools , and then Windows Firewall with Advanced Security . This launches an MMC snap-in that helps manage domain firewall settings.
For example, if your business uses an instant messaging application to help customers in real time, you can use the Windows Firewall snap-in to configure and deploy a new firewall rule that allows IM traffic. Or, if you want to prevent employees from using an instant messaging application, you can create rules to block inbound and outbound IM traffic. These rules are then applied to a firewall policy group such as the network domain. A full discussion of creating and applying firewall rules to the domain is beyond the scope of this post, but you can find out more information by browsing the SBS 2008 help file and by consulting TechNet.
When used together the Windows Firewall technology in SBS 2008 and Windows 7 help safeguard your work as well as gain more IT control and flexibility. You can now manage more computers and devices, more consistently and more effectively, in less time. It’s yet another way that SBS 2008 and Windows 7 are better together.
For more information on how SBS 2008 and Windows 7 are better together, visit the Microsoft Web site (http://www.microsoft.com/sbs/en/us/windows7.aspx).
For information on a trial version of SBS 2008, visit the Microsoft Web site (http://www.microsoft.com/sbs/en/us/trial-software.aspx).
For a test drive of Windows 7 Professional, visit the Microsoft Web site (http://www.microsoft.com/windows/business/windows-7-test-drive/).